Moved the sigType-setting logic inside the if (devId == INVALID_DEVID) block so it only runs for the new callback path

jackctj117 · jackctj117 · commit 2d494182373d · 2026-02-13T15:43:05.000-07:00
diff --git a/src/tpm2_wrap.c b/src/tpm2_wrap.c
@@ -7828,19 +7828,6 @@ int wolfTPM2_CSR_MakeAndSign_ex(WOLFTPM2_DEV* dev, WOLFTPM2_CSR* csr,
         return BAD_FUNC_ARG;
     }
 
-    /* Set signature type if not specified */
-    if (sigType == 0) {
-        if (keyType == RSA_TYPE) {
-            csr->req.sigType = CTC_SHA256wRSA;
-        }
-        else if (keyType == ECC_TYPE) {
-            csr->req.sigType = CTC_SHA256wECDSA;
-        }
-    }
-    else {
-        csr->req.sigType = sigType;
-    }
-
     /* Set version to 2 for self-signed certificates, 0 for regular CSRs per RFC2986 */
     if (selfSignCert) {
         csr->req.version = 2;
@@ -7851,6 +7838,18 @@ int wolfTPM2_CSR_MakeAndSign_ex(WOLFTPM2_DEV* dev, WOLFTPM2_CSR* csr,
 
     /* Use new callback-based signing if devId not specified */
     if (devId == INVALID_DEVID) {
+        /* Set signature type if not specified */
+        if (sigType == 0) {
+            if (keyType == RSA_TYPE) {
+                csr->req.sigType = CTC_SHA256wRSA;
+            }
+            else if (keyType == ECC_TYPE) {
+                csr->req.sigType = CTC_SHA256wECDSA;
+            }
+        }
+        else {
+            csr->req.sigType = sigType;
+        }
         rc = CSR_MakeAndSign_Cb(dev, csr, key, keyType, outFormat, out, outSz,
             selfSignCert);
     }
